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Introduction 





> Near Field Communication (NFC) protocol over short-distance RFID 
© 13.56MHz 


> Enables contactless data exchanges between passive tags (PICC) and 
active hosts (PCD) 

> DESFire type cards provide modern cryptographic algorithms and 
more sophisticated feature set 

> Chameleon Mini (RevG) devices used for pentesting and security 
applications as tag emulators and data loggers 





Maxie Dion Schmidt (GA Tech) FTC 2021 — Embedded DESFire October 2021 2/31 


Introduction 


High-level overview (cont'd) 





> DESFire emulation support for the Chameleon Mini has been a 
frequently requested, however complicated to deliver, feature for years 


> How the first testing releases came together in the Fall of 2020 
> https://github.com/emsec/ChameleonMini/pull/287 














I DISSENT 





Introduction 





> Significance: First of its kind functional embedded proof-of-concept 
DESFire stack that is freely available as OSS to researchers, security 
experts and end users alike 


> Limitations: Small R&D budget for testing and lack of standardized 
default data transfer modes to ensure interoperability amongst door 
readers in applications 
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Introduction 





> The Chameleon Mini device hardware profile and embedded software 
features 


> Overview of key features of the proprietary DESFire command set 


> Key features and challenges in writing the embedded DESFire 
implmentation (with examples) 
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Chameleon Mini Hardware 


Chameleon Mini Hardware 
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Origins of the project | 


command 





hameleon Mini Hardware 


Origins of the project II 
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-»Chameleon Mini Live Debugger 


Portable logging interface v0.1.1 
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Chameleon Mini Hardware Motivation 





> On-board integration of a modern AVR chip (ATxmegal 28A4U) 


> Memory: 128Kb of FLASH, 8Kb of SRAM, and 2Kb of EEPROM 
spaces and support for faster FRAM-based memory access 


> Accelerated hardware support for AES and DES cryptographic engines 


> Embedded firmware and flashable bootloader support to memory map 
the integrated RF hardware on the PCB 


> Serial data transfer over wired micro-USB 
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Chameleon Mini Hardware Motivation 





> Embedded OSS firmware and bootloader sources in C and ASM 
compiled with avr-gcc that are flashed to the device over USB 


> Convenient serial terminal that has a human-readable command set 
for easy on-the-fly configuration of emulated tags 

> Ability to act as a PICC, PCD or bidirectional NFC packet sniffer 
depending on the active configuration set in one of the eight 8Kb 
sized partitions of the onboard memory 

> Logging of time-stamped communication details and status events to 
internal FRAM memory or LIVE mode printed to the serial USB 
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DESFire NFC Tags 


DESFire tags 
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DESFire NFC Tags 





> Multiple nested and semi-interoperable generations of DESFire tags: 
Legacy Mifare DESFire, EV1, EV2, EV3 and Light variants 


> Larger scale integrated memory storage sizes than most contactless 
NFC tags (usually 2Kb, 4Kb or 8Kb) 

> Standard use of modern cryptographic algorithms for secure data 
exchange (legacy DES/3DES/AES-128/AES-256) 

> Data messages optionally padded with crytographically hashed bytes 
to ensure data integrity over the physical interface using 2-byte CRC 
checksums or 4-byte MAC trailers 

> Implementations are complicated by proprietary handling of most 
DESFire tag specs by the manufacturers 
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DESFire NFC Tags 





> Files grouped by allocations of the physical IC memory into top-level 
subdirectories called applications indexed by unique application 
identifier (AID) 

> Native file types: Standard data files (type 0), backup data files (type 
1), value files (type 2), linear record files (type 3), and cyclic record 
files (type 4) 

> Each file has 2-bytes of associated access rights to indicate one of 
read /write/read and write/change. 

> Access permissions on the files provide more secure protections for 
storage of secret binary key data 
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DESFire NFC Tags 





> Formats to communicate instructions is performed by sending 
unpadded native commands or by communicating ISO standardized 
wrapped APDU messages 


PICC-to-PCD wrapped APDU data exchange format: 





CLA INS Py Po L. Data Bytes Le 
@x90 | command code | 0x@Q | 0x00 | variable length of data | command data | 0x00 
































PCD-to-PICC format: 


Data Bytes SW1 | SW2 (Status) 
DESFire command response data | 0x91 @xYY 
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DESFire NFC Tags 























Command Long Name INS | Description 

AUTHENTICATE @x@A | Legacy mode authentication 

AUTHENTICATE-ISO @x1A | ISO authentication with 3DES 

AUTHENTICATE_AES @xAA | Standard AES authentication 

AUTHENTICATE_EV2_FIRST x71 | More recent EV2 authentication mode 

AUTHENTICATE_EV2_NONFIRST | x77 | More recent EV2 authentication mode 

CHANGE_KEY_SETTINGS @x54 | Modify PICC master key properties 

SET_CONFIGURATION @x5C | Used to configure DESFire card or application specific 
attributes 

CHANGE_KEY @xC4 | Changes the key data stored on the PICC 

GET_KEY_VERSION @x64 | Returns the active key version stored on the PICC 

CREATE_APPLICATION @xCA | Creates new applications by unique AID 

DELETE_APPLICATION @xDA | Non-restorable deletion operation 

GET_APPLICATION_IDS @x6A | Returns a list of all AID codes stored on the PICC 

FREE_MEMORY @x6E | Returns the total free memory on the tag in bytes 

GET_DF_NAMES ®@x6D | Obtain the 1S07816-4 DF names associated with the 
tag 

GET_KEY_SETTINGS @x45 | Get permissions data and format for PICC and applica- 
tion master keys 

SELECT_APPLICATION @x5A | Select a specific application by AID for further access 
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DESFire NFC Tags 














Command Long Name INS | Description 

FORMAT_PICC @xFC | Releases the previously stored user memory (not re- 
versible) 

GET_VERSION @x6@ | Returns manufacturing header data stored in the PICC 

GET_CARD_UID @x51 | Returns the 7-byte card UID assigned by the manufac- 
turer 

GET_FILE_IDS Qx6F | Get a list of the file identifiers (by index) within the 
selected AID 

GET_FILE_SETTINGS @xF5 | Obtain properties and permissions about a file 

CHANGE _FILE_SETTINGS @x5F | Modify access permissions of an existing file 

CREATE_STDDATA_FILE @xCD | Add new unformatted binary data storage file type 

CREATE_BACKUPDATA_F ILE ®@xCB | Create unformatted binary file with a shadow backup 
mechanism 

CREATE_VALUE_FILE @xCC | Create new 32-bit integer storage file 

CREATE-LINEAR_RECORD_FILE | @xC1 | Create new fixed size file for sequential storage of struc- 
turally similar record data structures 

CREATE_CYCLIC_RECORD_FILE | @xC@ | Similar to the linear record case except that there is a 








wrap-around storage functionality when the file size limit 
is exceeded 





Maxie Dion Schmidt (GA Tech) 


FTC 2021 — Embedded DESFire 


October 2021 





17/31 


DESFire NFC Tags 

















Command Long Name | INS | Description 

DELETE_FILE @xDF | Non-restorable deactivation of a file within the active 
AID 

GET_ISO_FILE_IDS x61 | Returns a list of the 2-byte file identifiers of all files 
within the active AID 

READ_DATA ®@xBD | Read byte-wise contents of standard or backup file types 

WRITE_DATA @x3D | Write data at an offset to stadard or backup file types 

GET_VALUE @x6C | Reads the last permanently stored integer from value 
records 

CREDIT @x@C | Increase the integer value type in the value type 

DEBIT @xDC | Decrease the integer value type in the value type 

LIMITED_CREDIT @x1C | Increase by a preset limited amount the integer in a value 
record (must commit the transaction changes at a later 
time) 

WRITE_RECORD @x3B | Write data to a linear or cyclic record file type 

READ_RECORDS ®@xBB | List the set of complete records in the associated file 
type 

CLEAR_RECORD_FILE ®@xEB | Reset a linear or cyclic record type to an empty state 

COMMIT_TRANSACTION @xC7 | Validates the previous write access permissions and 








credit permissions of all files within the selected AID 
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DESFire NFC Tags 














Command Long Name | INS | Description 
ABORT_TRANSACTION Q@xA7 | Invalidates the previous changes to the files within the 
selected AID 
SELECT QxA4 | 1SO7816-4 standard command support 
GET_CHALLENGE @x84 | 1SO7816-4 standard command support 
EXTERNAL_AUTHENTICATE | @x82 | I1SO7816-4 standard command support 
INTERNAL_AUTHENTICATE | 0x88 | ISO7816-4 standard command support 
READ_BINARY @xB@ | ISO7816-4 standard command support 
UPDATE_BINARY @xD6 | ISO7816-4 standard command support 
READ_RECORDS @xB2 | ISO7816-4 standard command support 
APPEND_RECORD @xE2 | ISO7816-4 standard command support 
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DESFire NFC Tags 
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Select Application By AID: 
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Start AES Authenticate: 
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An Embedded Open Source DESFire 


Stack for the Chameleon Mini 





OSS Embedded DESFire 





> New native AES support using hardware acceleration support 


> Extensions of prior work to add hardware based DES and 3DES 
support to the firmware 


> Changes to the codec layer of the firmware to support DESFire tags 


> Enhancements and bug fixes to the LIVE logging functionality of the 
Chameleon RevG devices 

> New default customized extension of the Chameleon terminal 
commands to enhance DESFire configuration support for users (see 
next slide) 
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> CONFIG=MF_DESFIRE 
> DF_SETHDR=ATS 0675F7B102 
> UID=2377000B99BF 98 


DF_SETHDR=ATS xxxXxXXXXXXX 
DF_SETHDR=HardwareVersion xxxx 
DF_SETHDR=SoftwareVersion xxxx 
DF_SETHDR=BatchNumber xxxxxxxxxx 
DF_SETHDR=ProductionDate xxxx 
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, Chameleon Mini Live Debugger 
Portable NFC device logger | v1.2.7-free 
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@ Chameleon Mini Live Debugger 
Portable NFC device logger | v1.2.7-free 
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SFIRE TAG CONFIGURATION COMMANDS 





Be osevars fy SEVHWvER jig SET-swver 
[Ew SET-BATCHNO fy SET-PRODDATE 


PPRINT-FULL 


LOGMODE=ON. 


[ESePPRINT-PICCHDRIgS = FWINFO 


[EBS Locmoe-oFF jgsg) TESTMODE-ON Epa TESTMODE-OFF 


APPENDIX AND TROUBLESHOOTING: 


OSS Embedded DESFire 





NFC reader: SCM Micro / SCL3711-NFC&RW opened 


Sent bits: 26 (7 bits) 

Received bits: @3 44 

Sent bits: 93 20 

Received bits: 88 23 77 @ dc 

Sent bits: 93 70 88 23 77 0@ dc 4b b3 
Received bits: 04 

Sent bits: 95 20 

Received bits: @b 99 bf 98 b5 

Sent bits: 95 70 @b 99 bf 98 b5 2f 24 
Received bits: 20 

Sent bits: eQ 5@ be a5 

Received bits: 75 77 81 02 8 

Sent bits: 5@ @@ 57 cd 


Found tag with 

UID: 2377000b99bf98 
ATQA: 4403 

SAK: 20 

ATS: 75 77 81 2 80 
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OSS Embedded DESFire 





> Approximately six to eight months of active development were 
required to complete the project 


> Forced by local embedded system constraints to carefully optimize 
and organize our use of the embedded AVR memory to resolve 
insufficient memory type exceptions 

> The speedup in computations for AES and 3DES operations provides 
an order of magnitude improvement compared to existing OSS 
libraries for AVR chips 

> A complicated nested, quasi-linked pointer based structure was 
required to efficiently store the filesystem entries and tag accounting 
metadata 
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Credits and Concluding Discussion 


Concluding Remarks 
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Credits and Concluding Discussion 





> Initial sources for the DESFire Chameleon firmware are due to Dmitry 
Janushkevich (@devzzo) (2017) 


> Professor Josephine Yu in the School of Math at GA Tech in the US 


> The original Kasper and Oswald (KAOS) developers of the 
Chameleon Mini hardware and software 


> David Oswald from the University of Birmingham in the UK 


Maxie Dion Schmidt (GA Tech) FTC 2021 — Embedded DESFire October 2021 27/31 


Credits and Concluding Discussion 





That brings me to the most important piece of advice that | can 
give to all of you: if you've got a good idea, and it’s a contribution, 
| want you to go ahead and DO IT. It is much easier to apologize 
than it is to get permission. — Grace Hopper 


| think a lot of the basis of the open source movement comes from 
procrastinating students. — Andrew Tridgell 


Life would be much easier if | had the source code. — Anonymous 





Thank you for attending! 


Maxie Dion Schmidt (GA Tech) FTC 2021 — Embedded DESFire October 2021 28 /31 


ull) 


By 


wo 








Pa 





Bibliography 





Android HCE DESFire: A software implementation of Desfire in an Android app. 
https: //github.com/jekkos/android-hce-desfire 


Chameleon Mini Firmware (authoritative sources). 
https: //github.com/emsec/ChameleonMini 


ISO/IEC 14443, 15693 and 7816 Standards. Identification Cards - Contactless 
Integrated Circuit Cards. www. iso.org 


Kasper T., von Maurich |., Oswald D., Paar C. (2011) Chameleon: A Versatile 
Emulator for Contactless Smartcards. In: Rhee KH., Nyang D. (eds) Information 
Security and Cryptology - ICISC 2010. ICISC 2010. Lecture Notes in Computer 
Science, vol 6829. Springer, Berlin, Heidelberg. 

https: //doi.org/10.1007/978-3-642-24209-0_13 


Kasper, T. and Oswald, D. Presentation slides on the history of the Chameleon 
Mini devices. https: //raw. github. com/wiki/emsec/ChameleonMini/Images/ 
160110 _ChameleonMini_history_smaller.pdf 





Maxie Dion Schmidt (GA Tech) FTC 2021 — Embedded DESFire October 2021 29 /31 


Dah w 


fai) 








Ey 


Bibliography 





LibFreeFare: A convenience API for NFC cards manipulations on top of LibNFC. 
https: //github.com/nfc-tools/libfreefare 


LibNFC: A platform independent NFC library. 
https: //github.com/nfc-tools/libnfc 


Microchip. ATxmega1284U Data Sheet. https: //ww1.microchip.com/downloads/ 
en/DeviceDoc/ATxmegal 28-64-32-16A4U-DataSheet-DS40002166A. pdf 


NXP Semiconductors. MIFARE DESFire Functional specification. Publicly available 
MF3ICD81 datasheet (2008). https: //tinyurl.com/kwweanp9 


Philips Semicondictors. Mifare DESFire: Contactless multi-application IC with DES 
and 3DES security. Publicly available MF3-IC-D40 datasheet (2004). 
https: //tinyurl.com/5era3dx2 


Proxmark III. A Radio Frequency |Dentification Tool. http://www. proxmark.org 





Maxie Dion Schmidt (GA Tech) FTC 2021 — Embedded DESFire October 2021 30/31 


Bibliography 





| Schmidt, M. D. Chameleon Mini DESFire Stack (development sources). 
https: //github.com/maxieds/ChameleonMiniDESFireStack 





[al Schmidt, M. D. Chameleon Mini Live Debugger. 
https: //github.com/maxieds/ChameleonMiniLiveDebugger 





Maxie Dion Schmidt (GA Tech) FTC 2021 — Embedded DESFire October 2021 


